Discussion:
Gmail and SPF
Add Reply
Chris J Dixon
2024-10-12 09:20:38 UTC
Reply
Permalink
I use Forte Agent to send email, via Virgin's mail servers, with
replies forwarded via my own domain email address.

I have set up the Gmail app password, which has been working
Action: failed
Final-Recipient: xxxxxxxxxxxxxxxx
Status: 5.0.0
Remote-MTA: dns; gmail-smtp-in.l.google.com
Diagnostic-Code: smtp; 550-5.7.26 Your email has been blocked because the sender is unauthenticated.
550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM.
550-5.7.26
550-5.7.26 DKIM = did not pass
550-5.7.26 SPF [cdixon.me.uk] with ip: [84.116.50.34] = did not pass
550-5.7.26
550-5.7.26 For instructions on setting up authentication, go to
550 5.7.26 https://support.google.com/mail/answer/81126#authentication ffacd0b85a97d-37d4b989e98si2592841f8f.501 - gsmtp
The IP address varies in different messages, all allocated by
Virgin's mail server, and clearly not unique to me.

I have read the various pages of instructions, including one on
my host:
<https://www.heartinternet.uk/support/article/how-do-i-add-spf-records-to-my-site.html>

but find myself totally unable to understand exactly what to do.
It also seems like trial and error is not a good way to go, if I
correctly understand that updated entries can take up to 48 hours
to propagate.

If I send directly from Virgin's online mail page, there are no
issues.

Chris
--
Chris J Dixon Nottingham UK
***@cdixon.me.uk @ChrisJDixon1

Plant amazing Acers.
Andy Burns
2024-10-12 09:40:15 UTC
Reply
Permalink
Post by Chris J Dixon
but find myself totally unable to understand exactly what to do.
It also seems like trial and error is not a good way to go, if I
correctly understand that updated entries can take up to 48 hours
to propagate.
I remember other heart customers having similar issue (no SPF at all, or
incorrect SPF) but can't remember if heart fixed it after a phone call,
or the customers fixed it by leaving heart!

In short what you need is that heart add an SPF record to the DNS for
your cdixon.me.uk domain containing

v=spf1 include:_spf.virginmedia.com ~all

which tells other email servers "when you're checking if I'm legit,
allow the servers that virgin nominate as valid" and "meh to anything
else", but not actually "block anything else".

If you use other email servers in addition to virgin's (e.g. your mobile
provider when away from home) then they need to be included too.
Chris J Dixon
2024-10-13 15:35:42 UTC
Reply
Permalink
Post by Andy Burns
Post by Chris J Dixon
but find myself totally unable to understand exactly what to do.
It also seems like trial and error is not a good way to go, if I
correctly understand that updated entries can take up to 48 hours
to propagate.
I remember other heart customers having similar issue (no SPF at all, or
incorrect SPF) but can't remember if heart fixed it after a phone call,
or the customers fixed it by leaving heart!
In short what you need is that heart add an SPF record to the DNS for
your cdixon.me.uk domain containing
v=spf1 include:_spf.virginmedia.com ~all
which tells other email servers "when you're checking if I'm legit,
allow the servers that virgin nominate as valid" and "meh to anything
else", but not actually "block anything else".
Thanks very much Andy, that seems to have done the trick.

Chris
--
Chris J Dixon Nottingham UK
***@cdixon.me.uk @ChrisJDixon1

Plant amazing Acers.
Andy Burns
2024-10-12 09:45:53 UTC
Reply
Permalink
Post by Chris J Dixon
I have read the various pages of instructions, including one on
I don't use heart or virgin, so you may want to xpost to
uk.tech.broadband in the hope you get replies from fellow customers who
have been there and got the T-shirt.
Theo
2024-10-12 10:48:07 UTC
Reply
Permalink
Post by Chris J Dixon
I use Forte Agent to send email, via Virgin's mail servers, with
replies forwarded via my own domain email address.
I have set up the Gmail app password, which has been working
[...]
Post by Chris J Dixon
but find myself totally unable to understand exactly what to do.
It also seems like trial and error is not a good way to go, if I
correctly understand that updated entries can take up to 48 hours
to propagate.
If I send directly from Virgin's online mail page, there are no
issues.
The short answer is that any time you send a message as
***@yourdomain.com you need to send via the mail server run by the
people who host your domain. They can ensure that your domain has a
matching SPF record for their server.

The longer answer is that it is technically possible to add an SPF record to
your domain's DNS to indicate which server is a valid sender for
***@yourdomain.com. In an ideal world you'd add virgin's server and
that would resolve the problem. However the IT of big companies is not
simple, and as a general rule we couldn't guarantee how Virgin are going to
route their email internally and where it will emerge. It is also liable to
change without warning. So in practice this is just going to store up
problems for the future.

It used to be that you'd send email via the SMTP server of the network your
were on (eg your ISP's server at home and your employer's at work), who had
a whitelist based on IP addresses (all ISP customers could use their
server). That doesn't work any more: if you have a domain the mail needs to
go via the hoster for the domain so that it emerges matching the domain's
SPF record. If you do use the 'wrong' server then it's highly likely the
messages will be rejected as spam, as you are seeing.

Theo
Andy Burns
2024-10-12 11:07:23 UTC
Reply
Permalink
Post by Theo
as a general rule we couldn't guarantee how Virgin are going to
route their email internally and where it will emerge. It is also liable to
change without warning. So in practice this is just going to store up
problems for the future.
Certainly don't try to construct your own list of virgin servers, use
the list they have constructed ... I have no idea how good virgin are at
keeping their own servers in their SPF lists, or referring to anyone
else's they outsource to, but right now _spf.virginmedia.com resolves to

"v=spf1 include:_mailcloud.virginmedia.com
include:_external.virginmedia.com include:_internal.virginmedia.com
include:_spf.fireeyecloud.com ~all"

which recursively resolves to

"v=spf1 ip4:212.54.59.64/26 ip4:212.54.57.64/26 ip4:212.54.57.64/26
ip4:84.116.6.0/23 ip4:84.116.50.0/23 ~all"

"v=spf1 ip4:78.33.8.111 ~all"

"v=spf1 ip4:193.38.82.91 ip4:193.38.82.92 ~all"

"v=spf1 ip4:34.223.9.0/24 ip4:34.223.11.128/25 ip4:34.223.12.0/25
ip4:38.27.116.128/27 ip4:165.254.91.16/28 ip4:38.27.116.96/27
ip4:165.254.91.96/27 ip4:149.13.95.32/27 ip4:154.57.155.16/28
ip4:100.25.99.0/25 ip4:100.24.127.128/25 ip4:3.122.63.0/24 ip4:52."
"215.218.128/25 ip4:63.34.31.0/25 ip4:63.34.218.0/24 ip4:3.123.5.0/24
ip4:34.223.36.0/24 ip4:3.93.93.0/24 ip4:3.112.99.0/24 ip4:3.112.100.0/24
ip4:3.97.207.0/24 ip4:3.97.208.0/24 -all"

Which does include the 84.116.50.34 address originally mentioned ...
Loading...